Pages

Tuesday, May 06, 2014

Reasons not to Login with Facebook, Twitter, etc

In the past few years, it has become common for web sites to allow users to create accounts by simply using their Facebook, Twitter or Google logins. I recoiled in horror the first time I saw it, and I thought it was a one-off hack. But then it became ever-more prevalent, and I slowly realized it was sanctioned.

I finally got around to investing about 2 hours of my life in better understanding this. It is part of a standard called OAuth (open authorization). It's interesting, powerful and convenient. But based on my research, I conclude my initial reaction is still valid. OAuth, as I understand it, has some substantial drawbacks (note--for convenience, the examples below refer to "Facebook", but it would be the same for any of the social sites that support the OAuth login buttons):

#1: The most severe is impersonation. When you use OAuth for authentication to, say, the sleaze.com website, sleaze.com retains a token, giving it the indefinite ability to impersonate you, at other sites! (I wonder if this is behind the bouts of bot-generated friend-spam I get periodically.)

#2: The website or app using Facebook login can, as part of the login request, bundle a request for authorizations to Facebook resources. E.g., "allow this app to post on your behalf" or "allow this app access to your address book". Of course the user has the opportunity to decline, and thereby cancel the login process, but they can't selectively decline the authorization requests. It is all-or-nothing. (Looks like that might be changing, at least at Facebook.)

#3: This creates one more avenue for Facebook to collect data about you. The last thing any of us need.

#4: It is a single point of failure. If for whatever reason, you get locked out of your Facebook account, you are locked out of all your other accounts, too. This could happen by your own mistakes, by Facebook's technical problems. It could also be a vector of attack from someone out to annoy you (try to login in as you to get your account locked).

There is a work-around that mitigates #2 and #3: create a special, fake Facebook account, solely for logins. But #1 and #4 are still problems, so I really don't think this is good enough.

Here is an excellent article on the topic, which pretty much says everything I did, but in far more detail.